CRITICAL9.0CVE-2026-48150Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign from 0, < 3.39.0
CRITICAL9.0CVE-2026-35216Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step from 0, < 3.33.4
HIGH8.8CVE-2026-45717Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL from 0, < 3.38.1
HIGH8.8Budibase: Command Injection in Bash Automation Step
from 0, < 3.33.4
HIGH8.7Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
from 0, < 3.33.4
HIGH8.1Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL
from 0, < 3.39.0
HIGH7.7Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
from 0, < 3.39.0
HIGH7.7Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
from 0, < 3.38.1
HIGH7.7Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
from 0, < 3.34.8
HIGH7.5Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
from 0, < 3.39.0
MEDIUM6.5Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
from 0, < 3.38.1
—Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
from 0, < 3.35.3
—@budibase/server: Command Injection in PostgreSQL Dump Command
from 0, < 3.23.32